OWASP Top 10 Mobile: Unintended Data Leakage

Continuing with our series on the OWASP Top 10 Mobile threats, the fourth most exploited mobile threat is called Unintended Data Leakage.

What is Unintended Data Leakage?

Unintended data leakage occurs when a developer inadvertently places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device. This insecure location could be accessible to other malicious apps running on the same device, thus leaving the device in a serious risk state.

How does Unintended Data Leakage work?

First, a developer’s code processes sensitive information supplied by the user or the backend. During that processing, a side-effect (that is unknown to the developer) results in that information being placed into an insecure location on the mobile device that other apps on the device may have open access to. Typically, these side-effects originate from the underlying mobile device’s operating system (OS). An attacker can simply write a small piece of code to access the location where the sensitive information is stored.

What is the difference between Insecure Data Storage and Unintended Data Leakage?

This is something that is often confused. The second most exploited mobile threat is the Insecure Data Storage. In simple words, here’s the difference between the two

In Android 4.0 and below, the Android log can easily be read by all apps including malicious ones by acquiring the READLOGS permission. Android 4.1 has introduced a change to this behavior to prevent such log leakage attacks: The READLOG permissions are no longer required; however, applications can only listen to their own logs. We will next see how a malicious app can manipulate Firefox for Android to leak its own private log in order to overcome this obstacle.